Microchip logo
  • All
  • Products
  • Documents
  • Applications Notes

Amnesia Network Stack (TCP/IP) Vulnerability

Microchip is aware of a Network software (TCP/IP) security vulnerability known as Amnesia:33, originally published by the US Department of Homeland Security (DHS) and CERT. Download the white paper to get additional information about this vulnerability. The vulnerability, which contains about 28 CVEs, affects TCP/IP software stacks used in embedded systems.

We take security issues seriously, and we are currently working to mitigate the issues and provide solutions for our clients. We have determined that this vulnerability affects some of our networking products. This page will provide the latest insight and may be updated from time to time.

Amnesia Affected Products

Our general-purpose microcontrollers are programmable with third-party TCP/IP stacks. We advise you to verify your applications against the white paper referred to above. Microchip’s distributed software and products affected by Amnesia and a proposed resolution are listed in the table below.

Device or SoftwareSourceVulnerabilities AffectedResolution
WINC1500/WINC3400Self-DisclosureCVE-2020-13987 (FSCT-2020-0009) 
CVE-2020-17439 (FSCT-2020-0017)
CVE-2020-17440 (FSCT-2020-0016)
CVE-2020-24334 (FSCT-2020-0030)
CVE-2020-24336 (FSCT-2020-0027)
Fix developed in ATWINC3400 Firmware v1.4.1
and ATWINC1500 Firmware v19.7.3.
Preprogrammed modules with latest firmware expected in 2021.
MPLAB® Harmony v3 FrameworkSelf-DisclosureCVE-2020-17439
Fix developed, available in next version 3.7.0+
MPLAB Code Configurator (MCC) FrameworkSelf-DisclosureCVE-2020-17470 (FSCT-2020-0025)Fix developed, available in version v2.2.14, Feb 2021
Microchip Libraries for Applications (MLA) FrameworkSelf-DisclosureSame as WINC1500/WINC3400Fix developed in ATWINC3400 Firmware v1.4.1
and ATWINC1500 Firmware v19.7.3
Legacy 6LowPAN solutionsSelf-DisclosureLikely. Uses Contiki OS.Fix not planned
WILC1000/WILC3000 Linux® SolutionSelf-DisclosureNot affected 
WILC1000/WILC3000 RTOS SolutionSelf-DisclosureNot affected 
RN131Self-DisclosureNot affected